By stealing a user's personal identification and financial account information, identity thieves breach trusted security mechanisms that are routinely relied upon by consumers, banks, merchants, healthcare providers, and the government. This identity fraud creates two victims: the consumer and the organization that manages the consumer's account. Even the threat of identity theft can create tension between these parties. For example, the risk of identity theft forces consumers to question whether any communication, be it a letter, an email, a website or a phone call, actually originated from the consumer's financial institution. Similarly, the threat of identity theft causes the Consumer's financial institution to take added measures to ensure that the party using a credit card or signing checks is actually the owner of the credit card or the checking account.
In the real world, there are many methods of identity authentication that are commonly used such as letters of introduction to vouch for our credentials and capability, Notary Publics to vouch for the authenticity of a signature, and drivers' licenses to authenticate payment by check. As transactions are increasingly conducted remotely via telephone or the Internet, the need for electronic counterparts of these face-to-face authentication methods has increased dramatically.
In the early days of remote transactions, a consumer would be asked to provide personal information or a password in order to authenticate a transaction. In the simplest of all authentication models, the consumer is asked challenge questions the answers to which require knowledge of the consumer's personal information such as social security number, drivers license number, birth date, mother's maiden name, or the like. Slightly more advanced models employ “single-factor” authentication. Single-factor authentication requires a consumer to present a single “shared secret” such as a password as proof of its validity. Single-factor authentication lacks security because it is so easy for a third party to steal or guess the password. Any purely information-based approach to authentication is vulnerable to increasingly sophisticated identity theft and fraud attacks.
To address this issue, some financial institutions have turned to multi-factor authentication which increases the number of authentication credentials a consumer must present to prove their identity. An example would be a logon system that requires the consumer to have a hardware device, such as, for example, a card, one-time password generator, or plug-in token, along with a password. This is referred to as a two-factor authentication scheme and can be characterized as “something you have” (i.e. the hardware key) and “something you know” (i.e. the password). Multi-factor authentication is much more secure than single-factor authentication because a thief that gains control of the hardware key will still be unable to access an account without the password. In addition, it is possible to include a biometric identifier so that one of the authentication factors becomes “something you are.”
The financial liability to organizations has escalated in recent years, largely as a result of legislation like The Sarbanes-Oxley Act of 2002. In addition, new guidance from the Federal Financial Institutions Examination Council (FFIEC) impacts how financial institutions handle sensitive transactions. While the FFIEC report does not say that a financial institution must immediately install strong authentication to protect all Internet banking activities, it does say that the institution must evaluate the risk of each transaction and the data exposed and then institute the proper controls. There is little question that the FFIEC guidance will promote the adoption of strong authentication technologies.
To address the issue of identity fraud, some parties have advocated moving from information-based authentication to these “strong” or “hardened” two-factor authentication system which requires the consumer to carry a unique physical device. This approach results in great cost to the organization and an unacceptable burden on the consumer. Even in cases where the hardened authentication systems utilize a scheme that a financial institution may deem secure at an acceptable cost, those systems don't address the consumer's need for convenience, nor the need to maintain privacy and integrity of the consumer's personal data.
Nevertheless, the declining cost of technology hardware has improved financial institutions' acceptance of hardened authentication systems. However, the issue of consumer adoption is more complicated. Consumers may be willing or able to carry a device to record and track identifying information and/or account information required by one financial institution, but are typically unwilling to carry multiple devices, one for each of the financial institutions, banks, merchants, healthcare providers, and governmental entities with whom they transact business. Consequently, consumers desire a single strong authentication mechanism that can be used by any of the organizations requiring the consumers identifying information. Moreover, consumers desire a scheme that operates consistently across all commercial transaction environments, whether on-line, over the phone or face-to-face.
There is a need, therefore, for a method and system that prevents fraud using a consumer's identifying information before, during and after a transaction. More specifically, the method and system must address new account fraud, account take-over fraud, payment fraud and general unauthorized access to sensitive personal information. There is also a need for a method and system that assists in the recovery process should identity theft occur. Such a system will be useful for a variety of organizations. For example, the prevention of new account fraud can be further used to minimize employment fraud and the prevention of payment fraud can also be further used to prevent fraudulent health-care insurance claims.
There is also a need for a system which is highly immune to identity fraud attacks. Ideally, such a system would employ multiple security factors, as well as multiple bands of communication prior to authenticating an individual. Such a multi-factor, multi-band system would present a significant technical obstacle for the fraudster to overcome.
There is also a need for a method and system that builds on the rigorous authentication processes that occur when an individual subscribes to, or applies for, credit-based accounts. Such a system will be useful for establishing new relationships with organizations and individuals.
There is a further need for a method and system that protects a consumer's credit file and credit scores by enabling creditors to authenticate new credit accounts prior to opening such accounts in a consumer's name. This provides the consumer with control over the consumer's personal credit not only with conventional creditors, but also from other users of credit files, including insurance and healthcare organizations and potential employers.